SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for npm6-6.17.0-21.1.x86_64.rpm :
Thu Feb 28 13:00:00 2019 Adam Majer
- New upstream LTS release 6.17.0:

* deps: OpenSSL has been upgraded to 1.0.2r. Under certain
circumstances, a TLS server can be forced to respond differently
to a client if a zero-byte record is received with an
invalid padding compared to a zero-byte record with an
invalid MAC. This can be used as the basis of a padding
oracle attack to decrypt data.
(CVE-2019-1559, bsc#1127080)

* http:
+ Backport server.keepAliveTimeout to prevent keep-alive
HTTP and HTTPS connections remaining open and inactive for
an extended period of time, leading to a potential
Denial of Service (DoS). (CVE-2019-5739, bsc#1127533)
+ Further prevention of \"Slowloris\" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set
by server.headersTimeout to connections in keep-alive mode.
(CVE-2019-5737, bsc#1127532)

Fri Feb 1 13:00:00 2019 adam.majerAATTsuse.de
- nodejs.keyring: update keyring to today\'s list as per
https://github.com/nodejs/node

Mon Jan 7 13:00:00 2019 adam.majerAATTsuse.de
- Update upstream LTS release 6.16.0:

* cli: add --max-http-header-size flag

* http: add maxHeaderSize property
- Changes in LTS release 6.15.0:

* debugger: prevent the debugger from listening on 0.0.0.0.
It now defaults to 127.0.0.1. (CVE-2018-12120, bsc#1117625)

* deps: Upgrade to OpenSSL 1.0.2q, fixing
CVE-2018-0734 (bsc#1113652) and CVE-2018-5407 (bsc#1113534)

* http:
+ Headers received by HTTP servers must not exceed 8192 bytes
in total to prevent possible Denial of Service attacks.
(CVE-2018-12121, bsc#1117626)
+ A timeout of 40 seconds now applies to servers receiving
HTTP headers. This value can be adjusted with
server.headersTimeout. Where headers are not completely
received within this period, the socket is destroyed on
the next received chunk. In conjunction with
server.setTimeout(), this aids in protecting against
excessive resource retention and possible Denial of Service.
(CVE-2018-12122, bsc#1117627)
+ Two-byte characters are now strictly disallowed for the path
option in HTTP client requests. Paths containing characters
outside of the range \\u0021 - \\u00ff will now be rejected
with a TypeError. This behavior can be reverted if necessary
by supplying the --security-revert=CVE-2018-12116 command
line argument (this is not recommended).
(CVE-2018-12116, bsc#1117630)

* util: Fix a bug that would allow a hostname being spoofed when
parsing URLs with url.parse() with the \'javascript:\' protocol.
(CVE-2018-12123, bsc#1117629)
- skip_test_on_lowmem.patch: skip test on low-memory build machine

Mon Nov 26 13:00:00 2018 adam.majerAATTsuse.de
- flaky_test_rerun.patch: Rerun failing tests in case of flakiness

Mon Nov 12 13:00:00 2018 adam.majerAATTsuse.de
- env_shebang.patch: dropped in favour of programmatic update

Mon Oct 1 14:00:00 2018 adam.majerAATTsuse.de
- fix_ci_tests.patch: Fix unit tests

Mon Aug 20 14:00:00 2018 adam.majerAATTsuse.de
- New upstream LTS release 6.14.4:

* buffer: Fix out-of-bounds (OOB) write in Buffer.write() for
UCS-2 encoding (CVE-2018-12115, bsc#1105019)

* deps: Upgrade to OpenSSL 1.0.2p, fixing:
+ Client DoS due to large DH parameter
(CVE-2018-0732, bsc#1097158)
+ ECDSA key extraction via local side-channel

Sun Jul 29 14:00:00 2018 jengelhAATTinai.de
- Ensure neutrality of description.
- Use %make_install.

Fri Jun 15 14:00:00 2018 adam.majerAATTsuse.de
- Recommend same major version npm package (bsc#1097748)

Thu Jun 14 14:00:00 2018 adam.majerAATTsuse.de
- New upstream LTS release 6.14.3:

* buffer: Fixes Denial of Service vulnerability where calling
Buffer.fill() could hang (CVE-2018-7167, bsc#1097375)

Thu May 24 14:00:00 2018 adam.majerAATTsuse.de
- env_shebang.patch: use absolute paths in executable shebang lines
- versioned.patch: updated to move shebang modifications to above
patch.

Fri May 11 14:00:00 2018 adam.majerAATTsuse.de
- New upstream LTS release 6.14.2:

* n-api: n-api has been backported to v6.x.
- icu_61_namespacefix.patch: Fix building with ICU61.1 (bsc#1091764)
- versioned.patch: rebased

Thu Apr 5 14:00:00 2018 adam.majerAATTsuse.de
- Install license with %license, not %doc (bsc#1082318)

Wed Apr 4 14:00:00 2018 adam.majerAATTsuse.de
- Fix some node-gyp permissions

Tue Apr 3 14:00:00 2018 adam.majerAATTsuse.de
- New upstream LTS release 6.14.1:

* Security fixes:
+ Fix for inspector DNS rebinding vulnerability
(bsc#1087463, CVE-2018-7160)
+ Fix for \'path\' module regular expression denial of service
(bsc#1087459, CVE-2018-7158)
+ Reject spaces in HTTP Content-Length header values
(bsc#1087453, CVE-2018-7159)

* Upgrade to OpenSSL 1.0.2o

* deps: upgrade http-parser to v2.8.0

Thu Mar 22 13:00:00 2018 adam.majerAATTsuse.de
- New upstream LTS release 6.13.1:

* http,tls: better support for IPv6 addresses

* console: added console.count() and console.clear()

* crypto:
+ expose ECDH class
+ added cypto.randomFill() and crypto.randomFillSync()
+ warn on invalid authentication tag length

* deps: upgrade libuv to 1.16.1

* dgram: added socket.setMulticastInterface()

* http: add agent.keepSocketAlive and agent.reuseSocket as to
allow overridable keep-alive behavior of Agent

* lib: return this from net.Socket.end()

* module: add builtinModules api that provides list of all
builtin modules in Node

* net: return this from getConnections()

* promises: more robust stringification for unhandled rejections

* repl: improve require() autocompletion

* src:
+ add openssl-system-ca-path configure option
+ add --use-bundled-ca --use-openssl-ca check
+ add process.ppid

* tls: accept lookup option for tls.connect()

* tools,build: a new macOS installer!

* url: WHATWG URL api support

* util: add %i and %f formatting specifiers
- remove any old manpage files in %pre from before update-alternatives
were used to manage symlinks to these manpages.

Tue Feb 13 13:00:00 2018 adam.majerAATTsuse.de
- Add Recommends and BuildRequire on python2 for npm. node-gyp
requires this old version of python for now. This is only needed
for binary modules.

Tue Jan 30 13:00:00 2018 roAATTsuse.de
- even on recent codestreams there is no binutils gold on s390
only on s390x

Tue Jan 9 13:00:00 2018 adam.majerAATTsuse.de
- New upstream LTS release 6.12.3:

* v8: profiler-related fixes

* mostly documentation and test related changes
- nodejs-sle11-python26-check_output.patch: refreshed

Fri Dec 22 13:00:00 2017 adam.majerAATTsuse.de
- Enable CI tests in %check target
+ fix_ci_tests.patch:
- DNS queries in buildroots are failing with EAI_AGAIN
- disable test-module-loading-globalpaths.js - we have
hardcoded global paths
+ versioned.patch: call versioned node binary for tests

Thu Dec 14 13:00:00 2017 adam.majerAATTsuse.de
- Dropped 8334.diff - no longer needed

Sat Dec 9 13:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 6.12.2:

* deps/openssl: updated to 1.0.2n (only applies to SLE 12 SP1
and lower) (bsc#1072322)
[ CVE-2017-3738 CVE-2017-15896 ]
- Changes in 6.12.1:

* build: fix npm install with --shared
[ gh#nodejs/node#16438 ]

* build: building on systems with default Python 3 is now
supported
[ gh#nodejs/node#16058 ]

* src: v8 options can be specified with either \'_\' or \'-\' in
NODE_OPTIONS
[ gh#nodejs/node#14093 ]
- Remove unnecessary curl BuildRequires
- Enable gold linker on s390x (TW and SLE/Leap 15)
- Build with bundled ICU if system ICU not available (only applies
to SLE 11)

Wed Nov 29 13:00:00 2017 qantas94heavyAATTgmail.com
- Change BuildRequires from openssl-devel to libopenssl-1_0_0-devel
due to Tumbleweed/Leap 15 change to OpenSSL 1.1.0 as default

Thu Nov 16 13:00:00 2017 adam.majerAATTsuse.de
- Update nodejs.keyring based on current Release Team as found on
https://github.com/nodejs/node#release-team

Mon Nov 13 13:00:00 2017 adam.majerAATTsuse.de
- Fix permissions of node-gyp. This should be executable to allow
building of binary node modules.

Mon Nov 13 13:00:00 2017 adam.majerAATTsuse.de
- New upstream LTS release 6.12.0:

* assert: assert.fail() can now take one or two arguments

* crypto: add sign/verify support for RSASSA-PSS

* deps:
+ upgrade openssl sources to 1.0.2m
[OpenSSL Security Advisory (bsc#1066242, bsc#1056058)
CVE-2017-3735 CVE-2017-3736]
+ upgrade libuv to 1.15.0

* fs: Add support for fs.write/fs.writeSync(fd, buffer, cb) and
fs.write/fs.writeSync(fd, buffer, offset, cb) as documented

* inspector: enable --inspect-brk

* process: add --redirect-warnings command line argument

* src:
+ allow CLI args in env with NODE_OPTIONS
+ --abort-on-uncaught-exception in NODE_OPTIONS
+ allow --tls-cipher-list in NODE_OPTIONS
+ use SafeGetenv() for NODE_REDIRECT_WARNINGS

* test: remove common.fail()
- 0f3e69db.patch, icu59.patch: removed empty patches
- nodejs-libpath.patch: refreshed

Wed Oct 25 14:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 6.11.5:

* zlib: (CVE-2017-14919: only affects TW) In zlib v1.2.9, a
change was made that causes an exception to be thrown when a
raw deflate stream is initialized with windowBits set to 8.
Node.js will now gracefully set windowBits to 9 (replicating
the legacy behavior) to avoid a DOS vector.

Thu Oct 19 14:00:00 2017 adam.majerAATTsuse.de
- Replace {{node_version_major}} with RPM define %node_version_number
for simpler spec file review.
- Make sure npm program remains executable

Wed Oct 4 14:00:00 2017 adam.majerAATTsuse.de
- New upstream LTS release 6.11.4:

* net: support passing undefined to listen() to match behavior in
v4.x and v8.x

Mon Sep 11 14:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 6.11.3:

* deps: Snapshots are turned back on!!! (#14385)

* path: win32 volume-relative paths are working again! (#14440)

* tools: v6.x can now build with ICU 59 (#12078)
- Drop icu59.patch: merged upstream.
- Refresh versioned.patch

Thu Aug 17 14:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 6.11.2

* configure: add mips64el to valid_arch (#13620)

* crypto: updated root certificates based on NSS 3.30
(#13279, #12402)

* deps: upgrade OpenSSL to version 1.0.2.l (#12913)

* http:
+ parse errors are now reported when NODE_DEBUG=http (#13206)
+ Agent constructor can now be invoked without new (#12927)

* zlib: node will now throw an Error when zlib rejects the value
of windowBits, instead of crashing (#13098)
- Drop 0f3e69db.patch: fixed upstream

Wed Aug 2 14:00:00 2017 adam.majerAATTsuse.de
- Fix update-alternative handling in %postun - don\'t remove
links on upgrades.

Wed Jul 12 14:00:00 2017 adam.majerAATTsuse.de
- New upstream LTS release 6.11.1

* v8: disable V8 snapshots. The hashseed embedded in the snapshot
is currently the same for all runs of the binary. This opens
node up to collision attacks which could result in a Denial
of Service. We have temporarily disabled snapshots until a more
robust solution is found. (bnc#1048299, CVE-2017-11499)

* The c-ares function ares_parse_naptr_reply(), which is used for
parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response
packet was crafted in a particular way.
(CVE-2017-1000381, bnc#1044946)

Fri Jul 7 14:00:00 2017 adam.majerAATTsuse.de
- Depend on nodejs-common that is then used to pick correctly
versioned node or npm binary. This is required since 3rd party
modules use `/usr/bin/env node` which breaks if multiple versions
of NodeJS are installed at the same time and non-default version
is used (for example, to compile a native module)

Thu Jul 6 14:00:00 2017 adam.majerAATTsuse.de
- npm_search_paths.patch: Since concurrent installations are now
possible, node manual pages are moved once again back under npm
searcheable locations only.
- versioned.patch: All files are now under versioned directoies
and names. node and npm symlinks are now managed by
update-alternatives
- node-gyp-addon-gypi.patch: Reference versioned directories only

Tue Jun 13 14:00:00 2017 adam.majerAATTsuse.de
- New upstream LTS release 6.11.0

* added support for building mips64el

* cluster:
+ disconnect() now returns a reference to the disconnected
worker.

* crypto:
+ ability to select cert store at runtime
+ Use system CAs instead of using bundled ones
(obsoletes 8334.diff)
+ The Decipher methods setAuthTag() and setAAD now return this
+ adding support for OPENSSL_CONF again
+ make LazyTransform compabile with Streams1

* deps:
+ upgrade libuv to 1.11.0

* dns:
+ Implemented {ttl: true} for resolve4() and resolve6().

* process:
+ add NODE_NO_WARNINGS environment variable

* readline:
+ add option to stop duplicates in history

* src:
+ support \"--\" after \"-e\" as end-of-options

* tls:
+ new tls.TLSSocket() supports sec ctx options
+ Allow obvious key/passphrase combinations.
- Fix typo in node-gyp-addon-gypi.patch patch
- Refresh icu59.patch

Tue May 30 14:00:00 2017 adam.majerAATTsuse.de
- 0f3e69db.patch, icu59.patch: backported GCC 7 compilation fixes
for v8 backported and add missing ICU59 includes (bnc#1041282)

Tue May 23 14:00:00 2017 adam.majerAATTsuse.de
- New upstream LTS release 6.10.3

* b8:
+ Trigger OOM crash on memory allcation errors
+ Don\'t treat catch scopes as possibly-shadowing for sloppy eval

* lib: fix event race condition with -e

* src: fix base64 decoding in rare edgecase

* tls:
+ fix segfault on destroy after partial read
+ keep track of stream that is closed
+ fix macro to check NPN feature
- nodejs-libpath.patch: updated

Wed Apr 5 14:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 6.10.2

* crypto: fix memory leak if certificate is revoked (#12089)

* deps: backport V8 fixes for spread syntax regression
causing segfaults (#12037)
- Changes not applicable to openSUSE in 6.10.2:

* deps: upgrade zlib to 1.2.11 (#10980)

* repl: revert commit that broke REPL display on Windows (#12123)
- Changes in LTS release 6.10.1

* performance: The performance of several APIs has been improved.
+ Buffer.compare() is up to 35% faster on average.
+ buffer.toJSON() is up to 2859% faster on average.
+ fs.
*statSync() functions are now up to 9% faster on average.
+ os.loadavg is up to 151% faster.
+ process.memoryUsage() is up to 34% faster.
+ querystring.unescape() for Buffers is 15% faster on average.
+ querystring.stringify() is up to 7.8% faster on average.
+ querystring.parse() is up to 21% faster on average.

* IPC: Batched writes have been enabled for process IPC on
platforms that support Unix Domain Sockets. Performance gains
may be up to 40% for some workloads.

* child_process: spawnSync now returns a null status when child
is terminated by a signal. This fixes the behavior to act like
spawn() does.

* http: Control characters are now always rejected when using
http.request(). Debug messages have been added for cases when
headers contain invalid values.

* node: Heap statistics now support values larger than 4GB.

* timers: Timer callbacks now always maintain order when
interacting with domain error handling.

Sun Feb 26 13:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 6.10.0

* crypto: allow adding extra certs to well-known CAs

* deps: upgrade INTL ICU to version 58

* fs: cache non-symlinks in realpathSync

* process: add process.memoryUsage().external

* repl: allow autocompletion for scoped packages

* src: add wrapper for process.emitWarning()
- Modify 8334.diff:

* Remove merged reference counting code (#9409)

* Bring patch in line with upstream changes (#8334)

Fri Feb 3 13:00:00 2017 adam.majerAATTsuse.de
- New upstream LTS release 6.9.5

* deps: upgrade openssl sources to 1.0.2k
(CVE-2017-3731, CVE-2017-3732, CVE-2016-7055,
bnc#1022085, bnc#1022086, bnc#1009528)
- No changes in LTS release 6.9.4
- Adjusted 8334.diff to be inline with accepted changes

Fri Jan 6 13:00:00 2017 qantas94heavyAATTgmail.com
- Add basic check that Node.js loads successfully to spec file

Wed Jan 4 13:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 6.9.3

* build: shared library support is now working for AIX builds

* deps/npm: upgrade npm to 3.10.10

* deps/V8: destructuring of arrow function arguments via computed
property no longer throws

* inspector: /json/version returns object, not an object wrapped
in an array

* module: using --debug-brk and --eval together now works
as expected

* process: improve performance of nextTick up to 20%

* repl: the division operator will no longer be accidentally
parsed as regex

* repl: improved support for generator functions

* timers: recanceling a cancelled timers will no longer throw

Fri Dec 9 13:00:00 2016 qantas94heavyAATTgmail.com
- New upstream LTS version 6.9.2

* buffer: coerce slice parameters consistently

* deps/npm: upgrade npm to 3.10.9

* deps/V8: Various fixes to destructuring edge cases
+ cherry-pick 3c39bac from V8 upstream
+ cherry pick 7166503 from upstream v8

* gtest: the test reporter now outputs tap comments as yamlish

* inspector: inspector now prompts user to use 127.0.0.1 rather
than localhost

* tls: fix memory leak when writing data to TLSWrap instance
during handshake
- Modify 8334.diff:

* ported and updated system CA store for the new node crypto code

Wed Nov 23 13:00:00 2016 adam.majerAATTsuse.de
- Add missing conflicts to base package. It\'s not possible to have
concurrent nodejs installations.

Fri Nov 18 13:00:00 2016 adam.majerAATTsuse.de
- Package unification across various branches of NodeJS. Package
for 4.x, 6.x and current (7.x) branches of NodeJS are now
handled via GitHub repository.
- NodeJS 6.x LTS package, based on NodeJS 4.x LTS layout. All
NodeJS packages are interchangeable. (FATE #321373)

Mon Nov 7 13:00:00 2016 adam.majerAATTsuse.de
- Add versioned dependencies for unbundling of c-ares and icu
libraries
- SLE12 can have unbundled libicu

Wed Nov 2 13:00:00 2016 qantas94heavyAATTgmail.com
- Fork package devel:languages:nodejs/nodejs
- Remove support-arm64-build.patch (not necessary for aarch64 build)
- Use system library versions of c-ares and ICU where supported
- Remove /usr/{lib,lib64}/node_modules from global module paths

* This is deprecated behaviour that was caused by an incorrect patch
in devel:languages:nodejs/nodejs almost 6 months ago (boo#985350)
- Modify nodejs-libpath.patch

* Move /usr/lib64/node_modules to %{_libexecpath} as npm isn\'t
architecture dependent (only npm itself is stored there)
- Remove nodejs-libpath64.patch
- Use separate .sig file instead of .asc file for source verification
- Use exec instead of xargs to remove files in install script


 
ICM